Full Report
A threat actor claims to have hacked and published data on 12 million Zacks Investment Research accounts
Analysis Summary
# Incident Report: Zacks Investment Research Data Breach (June 2024)
## Executive Summary
Zacks Investment Research, a stock research and analysis firm, suffered a major data breach in June 2024, resulting in the exposure of 12 million customer accounts. Details of the breach, including personal data and source code, were published on the dark web marketplace BreachForums. This marks the third significant data security incident for Zacks in four years, highlighting ongoing deficiencies in their security posture.
## Incident Details
- Discovery Date: Late February 2025 (When data was published on BreachForums)
- Incident Date: June 2024 (Incident occurred)
- Affected Organization: Zacks Investment Research
- Sector: Financial Services / Stock Research and Analysis
- Geography: Not specified, but likely US-based operations given the sector.
## Timeline of Events
### Initial Access
- Date/Time: June 2024
- Vector: Not explicitly detailed, but context suggests exploitation of weak security practices.
- Details: Attackers successfully accessed systems containing customer records.
### Lateral Movement
- Not detailed in the source article.
### Data Exfiltration/Impact
- Data exposed included 12 million unique email addresses, IP addresses, physical addresses, names, usernames, phone numbers, and unsalted SHA-256 password hashes.
- Source code was also compromised and offered for sale to interested buyers with high reputation scores.
### Detection & Response
- Detection: The exposure was detected when the data trove was published by a user named "Jurak" on BreachForums.
- Response actions taken by Zacks are not detailed; the article notes Zacks did not respond to contact attempts regarding the incident.
## Attack Methodology
- Initial Access: Unknown, potentially social engineering or vulnerability exploitation based on expert commentary regarding "weak security practices."
- Persistence: Not detailed.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed.
- Credential Access: Unsalted SHA-256 password hashes were obtained.
- Discovery: Not detailed.
- Lateral Movement: Not detailed.
- Collection: PII and source code were collected.
- Exfiltration: Data was posted publicly on BreachForums.
- Impact: Data theft, source code theft, potential regulatory violations (SEC).
## Impact Assessment
- Financial: Not specified, but significant costs associated with remediation and third breach notification are implied.
- Data Breach: 12 million customer records including names, PII (addresses, phone numbers), emails, usernames, and password hashes. Source code was also stolen, posing risk of further zero-day exploitation.
- Operational: Potential regulatory scrutiny (SEC, privacy laws).
- Reputational: Significant reputational damage due to being the third major breach in four years.
## Indicators of Compromise
- Network indicators: *Defanged URLs used for listing the breach:* `hxxps://www.breachforums.com`
- File indicators: Source code files.
- Behavioral indicators: Unauthorized access/exfiltration resulting in data posting on dark web forums.
## Response Actions
- Containment: Not detailed in the article.
- Eradication: Not detailed in the article.
- Recovery: Not detailed in the article. (Note: Zacks did not respond to inquiries regarding the incident.)
## Lessons Learned
- **Repetitive Failures:** The recurrence of major breaches (third in four years) indicates systemic and potentially unaddressed security vulnerabilities, likely related to basic controls.
- **Password Hashing:** Use of unsalted SHA-256 hashes suggests an outdated or insufficient hashing mechanism, leaving credentials highly susceptible to cracking.
- **Asset Visibility:** The compromise of source code highlights risks associated with intellectual property and potential future exploitation pathways.
## Recommendations
- **Multi-Factor Authentication (MFA):** Mandate MFA across all customer and internal accounts to mitigate the risk posed by compromised password hashes.
- **Modernize Hashing:** Immediately upgrade password storage to use strong, modern, salted, and adaptive hashing algorithms (e.g., Argon2, bcrypt).
- **Enhanced Threat Intelligence & Sharing:** Participate actively in sector-specific ISACs (like FS-ISAC) to gain proactive visibility into emerging threats impacting financial services.
- **Continuous Security Awareness:** Increase the frequency and efficacy of employee training focused on recognizing social engineering and phishing, addressing the likely root cause of initial access.